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Abstract 

In the past few years there was a growing interest in proving the security of cryptographic 
protocols, such as key distribution protocols, from the sole assumption that the systems of Alice 
and Bob cannot signal to each other. This can be achieved by making sure that Alice and Bob 
perform their measurements in a space-like separated way (and therefore signalling is impossible 
according to the non-signalling postulate of relativity theory) or even by shielding their apparatus. 
Unfortunately, it was proven in that, no matter what hash function we use, privacy amplifi- 
cation is impossible if we only impose non-signalling conditions between Alice and Bob and not 
within their systems. 

In this letter we reduce the gap between the assumptions of [ TTj and the physical relevant 
assumptions, from an experimental point of view, which say that the systems can only signal 
forward in time within the systems of Alice and Bob. We consider a set of assumptions which is 
very close to the conditions above and prove that the impossibility result of still holds. 

1 Introduction and Contribution 
1.1 Non-signalling cryptography 

In the past few years there was a growing interest in proving the security of cryptographic protocols, 
such as quantum key distribution (QKD) protocols, from the sole assumption that the system on 
which the protocol is being executed does not allow for signalling between Alice and Bob. One way 
to make sure that this assumption holds is for Alice and Bob to have secured shielded laboratories, 
such that information cannot leak outside. It could also be ensured by performing Alice's and Bob's 
measurements in a space-like separated way; this way, relativity theory predicts the impossibility of 
signalling between them. For this reason, such cryptographic protocols are sometimes called "relativistic 
protocols". Since the condition that information cannot leak outside is a necessary condition in any 
cryptographic protocol (otherwise the key could just leak out to the adversary, Eve), basing the security 
proof on this condition alone will mean that the protocol has minimal assumptions. 

We consider families of protocols which have two special properties. First, the security of the 
protocols is based only on the observed correlations of Alice's and Bob's measurements outcomes and 
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not on the physical apparatus they use. I.e., the protocols are device- independent [T71 |TS] . In device- 
independent protocols, we assume that the system of Alice and Bob was prepared by the adversary 
Eve. Note that although the system was created by Eve, Alice and Bob have to be able to make sure 
that information does not leak outside by shielding the systems. Alice and Bob therefore perform some 
(unknown) measurements on their system and privacy should be concluded only from the correlations 
of the outcomes. 

Second, in the protocols that we consider, the adversary is limited only by the non-signalling 
principle and not by quantum physics (i.e., super-quantum adversary). By combining these two prop- 
erties together we can say that quantum physics guarantees the protocol to work, but the security is 
completely independent of quantum physics. 



1.2 Systems and correlations 

For two correlated random variables X, U over A\ x A2, we denote the conditional probability distri- 
bution of X given U by Px\u( x \ u ) — Pr(X = x\U = u). 

A bipartite system is defined by the joint input-output behavior Pxy\uv ( see Figure [l}. 
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Figure 1: A bipartite system 



In a system Pxy\uv U and X are usually Alice's input and output respectively, while V and Y are 
Bob's input and output. We denote Alice's interface of the system by X(U) and Bob's interface by 
Y(V). In a similar way, when considering a tripartite system Pxyz\uvw Eve's interface of the system 
is denoted by Z(W). 

We are interested in non-local systems - systems which cannot be described by shared randomness 
of the parties. Bell proved in [3] that entangled quantum states can display non-local correlations under 
measurements. Bell's work was an answer to Einstein, Podolsky, and Rosen's claim in PQ that quantum 
physics is incomplete and should be augmented by classical variables determining the behavior of every 
system under any possible measurement. In this letter we deal with a specific type of Bell inequality, 
called the CHSH inequality after [7J. 

We can think about the CHSH inequity as a game. In the CHSH game Alice and Bob share a 
bipartite system Pxy\uv- Alice gets a random input U, Bob gets a random input V and the goal is 
that the outputs of Alice and Bob, X and Y respectively, will satisfy X © Y — U-V. For all local 
systems the probability of winning the game satisfies Pi[X © Y — U-V] < 0.75. This can be easily 
seen from the fact that only three out of the four conditions represented by Pr[A © Y = U ■ V] = 1 
can be satisfied together. If a system violates the inequality then it is non-local. 

Definition 1.1. (CHSH non- locality) . A system Pxy\uv i s non-local if X)l Pr[A © Y = u ■ v] > 0.75. 

When measuring entangled quantum states, one can achieve roughly 85%; this is a Bell inequality 
violation. The maximal violation of the CHSH inequality, i.e. i Pr[A © Y = u ■ v] = 1 for any u, v, 
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Figure 2: PR-box 

is achieved by the following system, called a Popescu-Rohrlich box, or a PR-box |20| . 

Definition 1.2. (PR-box). A PR box is the following bipartite system P X y\uv'- F° r each input pair 
(u, v), the random variables X and Y are uniform bits and we have Pr[X © Y = it • i/j = 1 (see 

Figure El). 

As seen from Figure [2] the outputs are perfectly random, and since the correlations are non-local, 
they cannot be described by pre-shared randomness. I.e., PR-boxes correspond to perfect secrecy. This 
implies that PR-boxes could have been a good resource for cryptographic protocols. Unfortunately, 
perfect PR-boxes do not exist in nature; as was proven by Tsirelson [6], quantum physics is non-local, 
but not maximally. Therefore, for a protocol which can be implemented using quantum systems, we 
should consider approximations of PR-boxes, or PR-boxes with some error. For example, an 85%- 
approximations can be achieved with maximally entangled qubits. For a more general treatment we 
can define the following. 

Definition 1.3. (Unbiased PR-box with error e). An unbiased PR-box with error e is the following 
bipartite system Pxy\uv'- F° r each input pair (w, i>), the random variables X and Y are uniform bits 
and we have Pr[A ®Y = u-v] = l — e (sec Figure |3|). 

Note that the error here is the same error for all inputs. In a similar way we can define different 
errors for different inputs. 

Using this notation, systems Pxy\uv which approximate the PR-box with error e £ [0,0.25) are 
non-local. For a proof that any unbiased PR-box with error e < 0.25 "holds" some secrecy, see 
for example Lemma 5 in [12] . While PR-Boxes correspond to perfect secrecy, PR-boxes with error 
correspond to partial secrecy. The problem is that the amount of secrecy (defined formally in Section 
12. 3p which can be achieved from a quantum system is not enough for our purposes. Therefore we must 
have some privacy amplification protocol in order for such systems to be useful. 

1.3 Privacy amplification 

In the privacy amplification problem we consider the following scenario. Alice and Bob share infor- 
mation that is only partially secret with respect to an adversary Eve. Their goal is to distill this 
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Figure 3: Unbiased PR-box with error e 



information to a shorter string, the key, that is completely secret. The problem was introduced in 
[H [5] for classical adversaries and in [13j for quantum adversaries. In our case, Alice and Bob want 
to create a secret key using a system Pxy\uv while Eve, who is only limited by the non-signalling 
principle, tries to get some information about it. 

Assume that Alice and Bob share a system from which they can create a partially secret bit string 
X. Information theoretically, if there is some entropy in one system, we can hope that by using several 
systems we will have enough entropy to create a more secure key. The idea behind privacy amplification 
is to consider Alice's and Bob's system as a black box, take several such systems which will produce 
several partially secret bit strings X%, X n and then apply some hash function / (which might take a 
short random seed as an additional input) to Xi, ...,X n , in order to receive a shorter but more secret 
bit string K, which will act as the key. 

The amount of secrecy, as will be defined formally in Section 12.31 is usually measured by the 
distance of the actual system of Alice, Bob and Eve from an ideal system, in which the key is uniformly 
distributed and not correlated to the information held by Eve. We will denote this distance by d(K\E), 
where E is Eve's system. We say that a system generating a key is e-indistinguishable from an ideal 
system if d(K\E) < e for some small e > 0. Therefore, the problem of privacy amplification is actually 
the problem of finding such a 'good' function /. 

Privacy amplification is said to be possible when e is a decreasing function of n, the number of 
systems held by Alice and Bob. In order to prove an impossibility result it is enough to give a specific 
system, in which each of the subsystems holds some secrecy, but this secrecy cannot be amplified by 
using any hash function - the distance from uniform remains high, no matter what function Alice and 
Bob apply to their output bits and how many systems they share. 

In the classical scenario, this problem can be solved almost optimally by extractors [TH [Hj. Al- 
though not all classical extractors work against quantum adversaries [H), some very good extractors 
do, for example, [8]. Since we consider a super-quantum adversary, we cannot assume that protocols 
which work for the classical and quantum case, will stay secure against a more powerful adversary. 
Therefore a different treatment is needed when considering non-signalling adversaries. 
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1.4 Related work 



Barrett, Hardy, and Kent have shown in [2] a protocol for QKD which is based only on the assumption 
that Alice and Bob cannot signal to each other. Unfortunately, the suggested protocol cannot tolerate 
any errors caused by noise in the quantum channel and is inefficient in the number of quantum systems 
used in order to produce one secure bit. This problem could have been solved by using a privacy 
amplification protocol, which works even when the adversary is limited only by the non-signalling 
principle. Unfortunately, it was proven in that such a privacy amplification protocol does not exist 
if signalling is possible within the laboratories of Alice and Bob. 

On the contrary, in |12| . |15) and |16| it was proven that if we assume full non-signalling conditions, 
i.e., that any subset of systems cannot signal to any other subset of systems, QKD which is based only 
on the non-locality of the correlations is possible. In particular, the step of privacy amplification is 
possible. 

In the gap between these two extreme cases little has been known. There is one particular set of 
assumptions of special interest from an experimental point of view; the set of assumptions which says 
that the systems can only signal forward in time within the systems of Alice and Bob. For this setting 
it was only known that privacy amplification using the XOR or the AND function is impossible |14| . 

1.5 Contribution 

In this letter we reduce the gap between the assumptions of in which signalling is impossible only 
between Alice and Bob, and the physical relevant assumptions which says that the systems can only 
signal forward in time within the systems of Alice and Bob. We consider a set of assumptions which is 
very close to the conditions which only allow to signal forward in time and prove that the impossibility 
result of QT| still holds. 

Since our set of assumptions differs only a bit from the assumptions of signalling only forward in 
time, called "backward non-signalling", we can highlight the specific assumptions which might make 
the difference between possibility and impossibility results. If the adversary does not necessarily need 
to exploit these specific assumptions, then privacy amplification will be impossible also in the physical 
assumptions of "backward non-signalling" systems. On the other hand, if privacy amplification will be 
proved to be possible we will know that the power of the adversary arises from these assumptions. 

The proof given here is an extension of the proof in [11] . We prove that the adversarial strategy 
suggested in [11] is still valid under stricter non-signalling assumptions (Theorem l3.3|) . and as a conse- 
quence also under the assumption of an "almost backward non-signalling" system (Corollary [33]). This 
will imply that privacy amplification against non-signalling adversaries is impossible under our stricter 
assumptions (which include a lot more non-signalling conditions than in |11|). as stated formally in 
Theorem 13.31 

1.6 Outline 

The rest of this letter is organized as follows. In Section [2] we describe several different non-signalling 
conditions and explain the model of non-signalling adversaries. In Section|3]we define a specific system 
which respects many non-signalling conditions and yet we cannot use privacy amplification in order 
to create an arbitrary secure bit from it. In addition, we prove that an impossibility result for our set 
of assumptions implies an impossibility result for "almost backward non-signalling" systems (Corollary 
13.511 . In Section |4] we prove our main theorem, Theorem 13.31 We conclude in Section [5] 
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2 Preliminaries 



2.1 Notations 

We denote the set {1, n} by [n]. For any string x £ {0, 1}™ and any subset / C [n], xi stands for 
the i'th bit of x and xj £ {0, l}' 7 ' stands for the string formed by the bits of x at the positions given 
by the elements of I. I is the complementary set of I, i.e., I = [n]/I. Xj is the string formed by all 
the bits of x except for the i'th bit. 

For two correlated random variables X, U over A\ x A2, we denote the conditional probability 
distribution of X given U as Px\u( x \ u ) = Pr(X = x\U = u). 

2.2 Non-signalling systems 

We start by formally defining the different types of non-signalling systems and conditions which will 
be relevant in this letter. 

Definition 2.1. (Fully non-signalling system). An n-party conditional probability distribution Px\u 
over X, U € {0, 1}™ is called a fully non-signalling system if for any set / C [n], 

Vx 7 ,u/,uj,w 7 ^2 p x\u(xi, xjlm, u 7 ) = ^2 p x\u{xi,x 7 \u'j,uy), 

zie{0,l} |J| a:ie{0,l} |J 

This definition implies that any group of parties cannot infer from their part of the system which 
inputs were given by the other parties. A measurement of a subset / of the parties does not change the 
statistics of the outcomes of parties /; the marginal system they see is the same for all inputs of the 
other parties. This means that different parties cannot signal to other parties using only the system. 
Note that this type of condition is not symmetric. The fact that parties / cannot signal to parties / 
does not imply that parties / cannot signal to parties /. The fully non-signalling conditions can also 
be written in the following way. 

Lemma 2.2. (Lemma 2.7 in '10J). An n-party system Px\u over X, U G {0,1}™ is a fully non- 
signalling system if and only if for all i £ [n], 

Vxj,Ui,uJ,U ? ^ Px\u(Xi,Xj\Ui,Ui) = ^2 P x \ u {x i ,x J \v! i ,uj). 
x z e{o,i} xi£{o,i} 

In order to make sure that the fully non-signalling conditions as in Definition 12.11 hold one will 
have to create the system such that each of the 2n subsystems is space-like separated from all the 
others, or shielded, to exclude signalling. This is of course impractical from an experimental point 
of view. Therefore, we need to consider more practical, weaker, conditions. A minimal requirement 
needed for any useful system is that Alice cannot signal to Bob and vice versgQ. We stress that this is 
an assumption, since the non-signalling condition cannot be tested (not even with some small error) 
using a parameter estimation protocol as a previous step. This assumption can be justified physically 
by shielding the systems or by performing the measurements in a space-like separated way. 

1 If we will not ensure this condition, say by making sure that they are in space-like separated regions or by shielding 
their systems, the measured Bell violation will have no meaning and any protocol based on some kind of non locality 
will fail 
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Definition 2.3. (Non-signalling between Alice and Bob). A 2n-party conditional probability distri- 
bution Pxy\uv over A, Y, U, V € {0, 1}™ does not allow for signalling from Alice to Bob if 



Vy,u,u',v 



^2Pxy\uv(x, y\u, v) = ^2p X y\uv(x, y\u', v) 



x 



and does not allow for signalling from Bob to Alice if 



Vx, v, v , u 



^2PxY\uv(x,y\u,v) = ^2p XY \uv(x,y\u,v') . 



V V 



On top of the assumption that Alice and Bob cannot signal to each other, we can now add different 
types of non-signalling conditions. In a more mathematical way, we can think about it as follows. The 
full non-signalling conditions are a set of linear equations as in Definition 12.11 and Lemma |2~2"1 We can 
assume that all of these equations hold (this is the full non-signalling scenario) or we can use just a 
subset (which does not span the whole set) of these equations. 

One type of systems which are physically interesting are the systems which can only signal forward 
in time (messages cannot be sent to the past). This can be easily achieved by measuring several 
quantum systems one after another, and therefore these are the non-signalling conditions that one 
"gets for free" when performing an experiment of QKD. For example, an entanglement-based protocol 
in which Alice and Bob receive entangled photons and measure them one after another using the same 
apparatus will lead to the conditions of Definition 12.41 If the apparatus has memory signalling is 
possible from Ai to Ai + i for example. However, signals cannot go outside from Alice's laboratory to 
Bob's laboratory. Formally we use the following definition for backward non-signalling systems. 

Definition 2.4. (Backward non-signalling system). For any i £ {2, n — 1} denote the set {1, i — 
1} by I\ and the set {«,..., n} by I^- A 2n-party conditional probability distribution Pxy\uv over 
X,Y,U,V € {0,1}" is a backward non-signalling system (does not allow for signalling backward in 
time) if for any i £ [n], 

Vxi 1 ,y,ui 1 ,ui 2 ,u' l2 ,v ^2P XY \uv(xi 1 ,x l2 ,y\u Il ,u l2 ,v) = ^P X Y\uv{xi 1 ,x l2 ,y\u Ix ,u' l2 ,v) 



In order to understand why these are the conditions that we choose to call "backward non-signalling" 

note that in these conditions Alice's (and analogously Bob's) systems Aj 2 cannot signal not only to 

Aj 1 , but even to Aj 1 and all of Bob's systems together. I.e., Ai 2 cannot change the statistics of Aj 1 

and B, even if they are collaborating with one another. Another way to see why these conditions 

make sense, is to consider a scenario in which Bob, for example, performs all of his measurements first. 

This of course should not change the results of the experiment since Alice and Bob are separated and 

cannot send signals to each other. Therefore when Alice performs her measurements on the systems 

Ai 2 , her outcomes cannot impact the statistics of both Ai 1 and B together. 

In this letter we consider a different set of conditions, which does not allow for most types of 
signalling to the past. 
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Figure 4: Different non-signalling conditions: signalling is impossible in the direction of the straight 
red arrow, (a) Non-signalling between Alice and Bob. (b) The conditions of Definition 12. 51 almost 
backward non-signalling conditions, for i — 3. Note that signalling may be possible in the direction 
of the curly blue arrow, (c) The conditions of Definition 12.41 backward non-signalling conditions, for 
i — 3. (d) Full non-signalling conditions. The conditions we consider are the combination of (a) and 
(b). 



Definition 2.5. (Almost backward non-signalling system). For any i S {2, ...,n — 1} denote the set 
{1, i — 1} by I\ and the set {i, n} by Ii- A 2n-party conditional probability distribution Pxy\uv 
over X, Y,U,V S {0, l} n is an almost backward non-signalling system if for any is [n], 

Vx h , y h , u h , u h , u' l2 , v h , v h , v' h 

PxY\uv(xh,xi 2 , Vh , y/ 2 1 «/i ) u / 2 7 v h ) v / 2 ) 



Pxv\uv(xi 1 ,x l2 ,y Il , y h \ u h , u' h , tj 7i , Uj 2 ) . 
Figure [5] visualizes the difference between all of these non-signalling conditions. 



%In ,vi 



xj 2 ,yj 2 



The difference between the conditions of Definition 12.41 and Definition 12.51 is that when assuming 
the conditions of an almost backward non-signalling system signalling is not forbidden from Ai to Bi 
and Aj together for any i and j < i. I.e., if Ai wants to signal to some system in the past, A,, Bi 
has to cooperate with Aj. To see this consider the following system for example. Alice and Bob share 
a system Pxy\uv f° r A, Y, U, V S {0, l} 2 . We define the system such that each of the outputs is a 
perfectly random bit and independent of any input, except for X±, which is equal to Yz®U2- Obviously, 
the outputs on Bob's side look completely random and independent of any input, i.e., the system is 
non-signalling from Alice to Bob. Now note that whenever we do not have access to Y%, X\ also looks 
like a perfectly random bit and independent of the input. Therefore, the system is also non-signalling 
from Bob to Alice, and almost backward non-signalling. However, the conditions of Definition 12 .41 does 
not hold, since the input Ui can be perfectly known from X\ and Y% (i.e. A2 can signal A\ and Bi 
together) . 

For every system Pxy\uv which fulfills some arbitrary non-signalling conditions we can define 
marginal systems and extensions to the system in the following way. 



Definition 2.6. (Marginal system). A system Px\u 1S called a marginal system of the system P X z 



t\uw 
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if Vx,u,w P x \u{x\u) = J2 p xz\uw(x,z\u,w). 

z 

Note that for the marginal system Px\u °f Pxz\uw to be defined properly, all we need is a non- 
signalling condition between the parties holding X(U) and the parties holding Z(W). 

Definition 2.7. (Extension system). A system Pxz\uw IS called an extension to the system Px\u, 
which fulfills some arbitrary set of non-signalling conditions C, if: 

1- Pxz\uw does not allow for signalling between the parties holding X(U) and the parties holding 
Z(W). 

2. The marginal system of Pxz\uw is Px\u- 

3. For any z the system P§^f fulfills the same non-signalling conditions C. 

Note that for every system Px\u there are many different extensions. Next, in an analogous way 
to the definition of a classical-quantum state, pxE — J2^x (x)\x) (x\ <g> p x E , we would like to define a 

X 

classical- non-signalling system. 

Definition 2.8. (Classical - non-signalling system). A classical - non-signalling (c-n.s.) system is a 
system Pxz\uw such that \U\ = 1. 

We can think about it as a system in which some of the parties cannot choose or change the input on 
their side of the system. When it is clear from the context which side of the system is classical and 
which side is not we drop the index which indicates the trivial choice for U and just write Pxz\w- 
Notice that for a general system with some U, after choosing an input Ui £ U we get the c-n.s. system 
Pxz\u=m,w- 

2.3 Distance measures 

In general, the distance between any two systems Px\u an d Qx\u can be measured by introducing 
another entity - the distinguisher. Suppose Px\u an d Qx\u are t w0 known systems. The distinguisher 
gets one of these systems, S, and has to guess which system he was given. In the case of our non- 
signalling systems, the distinguisher can choose which measurements to make (which inputs to insert 
to the system) and to see all the outputs. He then outputs a bit B with his guess. The distinguishing 
advantage between systems Px\u ancl Qx\u is the maximum guessing advantage the best distinguisher 
can have. 

Definition 2.9. (Distinguishing advantage). The distinguishing advantage between two systems Px\u 
and Q x \u is 

S(Px\u,Qx\u) = max[P(B = 1\S = P X \u) - P(B = 1\S = Q x \u)] 

where the maximum is over all distinguishers D, S is the system which is given to the distinguisher and 
B is its output bit. Two systems Px\u an d Qx\u are called e-indistinguishable if 5(Px\ui Qx\u) ^ e - 

If the distinguisher is given an n-party system for n > 1 he can choose not only the n inputs but 
also the order in which he will insert them. The distinguisher can be adaptive, i.e., after choosing an 
input and seeing an output he can base his later decisions for the following inputs on the results seen 
so far. Therefore the maximization in this case will be on the order of the measurements and their 
values. 

If the distinguisher is asked to distinguish between two c-n.s. systems we can equivalently write 
the distinguishing advantage as in the following lemma. 
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Lemma 2.10. (Distinguishing advantage between two c-n.s. systems). The distinguishing advantage 
between two c-n.s systems Pkz\w an d Qkz\w * s 



S(Pkz\w,Qkz\w) = / max / 



Pl<Z\W=w(k, Z) — QKZ\W=w(k, z) 



Proof. In order to distinguish between two c-n.s. systems, Pkz\w an d Qkz\Wi the distinguisher has 
only one input to choose, W. In addition, because the distinguisher has no choice for the input of 
the classical part, the distinguishing advantage can only increase if the distinguisher will first read 
the classical part of the system and then choose W according to the value of K. Therefore, for two 
c-n.s. systems, the best strategy will be to read K and then to choose the best W, as indicated in the 
expression above. □ 

The distance (in norm 1) between two systems is defined to be half of the distinguishing advantage 
between these systems. 

Definition 2.11. (Distance between two c-n.s. systems). The distance between two c-n.s systems 



P, 



KZ\W 



and Q 



KZ\W 



in norm 1 is 



Pkz\w — Qkz\w 



9 Z-^ ,„ /-^ 



2 

1 k 



PKZ\w=w{k, z) — Qi(z\w=w(k, z) 



In a cryptographic setting, we mostly consider the distance between the real system in which the 
key is being calculated from the output of the system held by the parties, and an ideal system. The 
ideal system in our case is a system in which the key is uniformly distributed and independent of the 
adversary's system. For a c-n.s. system Pkzyw where K is over {0,1}™, let U n denote the uniform 
distribution over {0,1}™ and let Pz\w be the marginal system held by the adversary. The distance 
from uniform is a defined as follows. 

Definition 2.12. (Distance from uniform). The distance from uniform of the c-n.s. system Pkz\w is 



d(K\Z{W)) 



P. 



KZ\W 



U n X P. 



z\w 



where the system U n x Pz\w i s defined such that U n x Pz\w(k> z\w) = U n (k) ■ P z \ w (z\w). 

In the following sections we consider the distance from uniform given a specific input (measurement) 
of the adversary, W — w. In this case, according to Definition 12. 12[ we get 



d{K\Z{w)) 



k.z 



PKZ\w=w{ki z ) — U n (k) • Pz\w=w( z ) 



-^2/Pz\W=w{^) 



k.z 



p, 



K\Z=z(k) 

n 



(1) 
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2.4 Modeling non-signalling adversaries 



When modeling a non-signalling adversary, the question in mind is: given a system Pxy\uv shared by 
Alice and Bob, for which some arbitrary non-signalling conditions hold, which extensions to a system 
PxYZluvWi including the adversary Eve, are possible? The only principle which limits Eve is the 
non-signalling principle, which means that the conditional system Pxyfuv > ^ or an y z ^ ^> mus t fulfill 
all of the non-signalling conditions that Pxy\uv fulfills, and in addition Pxy z\uvw does not allow 
signalling between Alice and Bob together and Eve. Since any non-signalling assumptions about the 
system of Alice and Bob are ensured physically (by shielding the systems for example) , they must still 
hold even if Eve's output z is given to some other party. Therefore the conditional system Pxy\uv 
must also fulfill all the non-signalling conditions of Pxy\uvi which justifies our assumptions about the 
power of the adversary in this setting. 



u 

X 





PxYZ\UVW 













V 
Y 



z w 

Figure 5: A three-partite system 

We adopt here the model given in |1 H fTO l IT2] of non-signalling adversaries. We reduce the scenario 
in which Alice, Bob and Eve share a system Pxyz\uvw to the scenario considering only Alice and 
Bob in the following way. Because Eve cannot signal to Alice and Bob (even together) by her choice 
of input, we must have, for all x, y, u, v, w, w' , 

/] Pxyz\uvw{x, y, z\u, v, w) = Pxyz\uvw{%, V, z\u, v, w') = P X Y\uv(x,y\u,v). 

z z 

Moreover, as said before, since any non-signalling condition must still hold even if Eve's output z is 
given to some other party, the system conditioned on Eve's outcome, Pxy\uV' mu st a ls° fulfill all 
the non-signalling conditions of Pxy\uv- We can therefore see Eve's input as a choice of a convex 
decomposition of Alice's and Bob's system and her output as indicating one part of this decomposition. 
Formally, 

Definition 2.13. (Partition of the system). A partition of a given multipartite system Pxy\uVi which 
fulfills a certain set of non-signalling conditions C, is a family of pairs (p z , Pxy\Uv)i wriere: 

1. p z is a classical distribution (i.e. for all z p z > and J^P Z = !)■ 

z 

2. For all z. P X y\uv ^ s a system that fulfills C. 

3. Pxy\uv = J2p z ■ p xy\uv . 
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We can use the same proof as in Lemma 2 and 3 in [IjZ] to prove that this is indeed a legitimate 
model, i.e., that the set of all partitions covers exactly all the possible strategies of a non-signalling 
adversary in our case. 

It is further proven in [11] that for showing an impossibility result, we can assume that Eve's 
information Z is a binary random variable: 

Lemma 2.14. (Lemma 5 in fU^)- If (p z , Pxy\uv) * s an e ^ emen t °f a partition with m elements, 
then it is also possible to define a new partition with only two elements, in which one of the elements 
is (p z °, Pxy\uv) ■ 



XY\UV> 

Moreover, it is not necessary to determine both parts of the partition ((p z=0 , Pxy\uv) an< ^ 



(p z , Pxy\uv)) explicitly Instead, a condition on the system given outcome z = is given, which 
will make sure that there exists a second part, complementing it to a partition: 

Lemma 2.15. (Lemma 6 in Given a non- signalling distribution Pxy\uv > there exists a partition 

with element (p z=0 , P X y°\uv^ ^ an< ^ 071 ^ */ f or a ^ inputs and outputs x,y,u,v it holds that p z=0 ■ 
P XY\uv( x 'y\ u ' v ) ^ p XY\uv(x,y\u,v). 

For the formal proofs of these lemmas, note that since the non-signalling conditions are linear the 
same proofs as in Lemma 5 and Lemma 6 in |11] will hold here as well, no matter which non-signalling 
conditions are imposed for Pxy\uv- 

Defining a partition is equivalent to choosing a measurement W = w, therefore, we can also write 
the distance from uniform of a key, as in Equation ([T]), using the partition itself. Since we will only 
need to consider the case where Alice and Bob try to output one secret bit, we can further simplify 
the expression, as in the following lemma. 

Lemma 2.16. (Lemma 5.1 in \Wj). For the case K = f(X), where f : {0, 1}I X I -)• {0, 1}, U = u, 

V = v, and where the strategy W = w is defined by the partition |(p Zro , ■Pyi r |t/'v)} 



,e{04} 



d{K\Z{w))= l -Y,P Z 



For a proof see Lemma 5.1 in |10) . 



^{-iy^P z x - YWV (x,y\u,v) 



3 The Non-signalling Assumptions 
3.1 The basic assumptions 

It was proven in [12] (Lemma 5) that any unbiased PR-box with error e < 0.25 holds some secrecy. 
With the goal of amplifying the privacy of the secret in mind, Alice and Bob now share n such systems. 
The underlying system of Alice and Bob that we consider is a product of n independent PR-boxes 
with errors (Definition II. 3[) . as seen from Alice's and Bob's point of view. This is stated formally in 
the following definition: 

Definition 3.1. (Product system). A product system of n copies of PR-boxes with error e is the 
system Pxy\uv — II PxiYi\UiVn where for each i, the system PxtYAUiVi 1S an unbiased PR-box with 

error e as in Definition 11.31 
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In addition, as explained in Section [2. 2[ in order for any system to be useful, we will always make 
sure that Alice and Bob cannot signal to each other (otherwise any non-local violation will not have 
any meaning - it could have also been achieved by signalling between the systems). Mathematically, 
this means that for any outcome z of any adversary, Alice and Bob cannot signal to each other using 
the system P XY \uv l- e -> P xy\uv mmns the conditions of Definition 12.31 

On top of this assumption we can now add more non-signalling assumptions of different types. 
For example, in [IS], [T5] and [TB] it was proven that if we assume full non-signalling conditions then 
privacy amplification is possible. On the contrary, in it was proven that if we do not add more 
non-signalling assumption (and use only the assumption that Alice and Bob cannot signal to each 
other) then privacy amplification is impossible. An interesting question is therefore, what happens in 
the middle? Is privacy amplification possible when we use some additional assumptions but not all of 
them? 

The goal of this letter is to consider the conditions of almost backward non-signalling systems, 
given in Definition 12.51 We will do so by considering a larger set of equations, defined formally in 
Section EU 



3.2 Our additional assumptions 

Consider the following system. 

Definition 3.2. Alice and Bob and Eve share a system Pxyz\uvw such that: 

1. The marginal system of Alice and Bob Pxy\uv is a product system as in Definition 13.11 



2. For any z, P X y\uv fulfills t ne conditions of Definition 12.31 (Alice and Bob cannot signal each 
other). 

3. For all i S [n] and for any z 

Vacj, yj, u h u' u uj, v ^2P XYluv (x,y\u,v) = ^ P X y\uv( x > v\ u '^ v ) 

Mx^^u^v'^v- ^2P XYluv (x,y\u,v) = ^2,P XY \ uv (x,y\u,v'), 

Note that the set of these conditions is equivalent to 

^x 1 ,y 1 ,u l ,u' l ,u 1 ,v l ,v' l ,vj ^2P XY]uv {x,y\u,v)=^2P XY]uv {x,y\u',v'). (2) 

To see this first note that the conditions of Definition 13.21 are a special case of Equation @ . For the 
second direction: \/xj, yj, m, u[,uj, u,, v'^vj, 

J2 p xY\uv( x >y\ u , v ) = ^2 p xY\uv( x iy\ u '> v ) = J2 p xY\uv( x iy\ u '> v ')- 

Xi,Vi xt,yt Xi,Vi 



Therefore, the equations of Definition 13.21 mean that for all i, parties Ai and Bi together cannot signal 
the other parties (See Figure [6]). 

Adding these assumptions to the the non-signalling assumption between Alice and Bob (Definition 
does not imply the full non-signalling conditions. To see this consider the following example. Alice 
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A n B n 

Figure 6: The n.s. conditions of Definition 13.21 for i = 3 

and Bob share a system Pxy|{/v such that X, Y,U,V £ {0, l} 2 . We define the system such that each 
of the outputs is a perfectly random bit and independent of any input, except for X2, which is equal 
to Y\ ®U\. The outputs on Bob's side look completely random and independent of any input, i.e., 
the system is non-signalling from Alice to Bob. Now note that whenever we do not have access to Yi, 
then X2 also looks like a perfectly random bit and independent of the input. Therefore, the system is 
also non-signalling from Bob to Alice, and the conditions of Definition 13.21 hold as well. However, this 
system is not fully non-signalling, since the input U\ can be perfectly known from Xi and Y\ (i.e. A\ 
can signal A2 and Pi together). 

Adding this set of equations as assumptions means to add a lot more assumptions about the system 
(on top of the basic system described before). Intuitively, such a system is close to being a fully non- 
signalling system. We will prove that even in this case, Theorem 15 in [TT] still holds and privacy 
amplification is impossible: 

Theorem 3.3. There exists a system as in Definition \3. 6 2\ such that for any hash function f, there exists 
a partition w for which the distance from uniform of f{X) given w is at least c(e), i.e., d(f(X)\Z(w)) > 
c(e), where c(e) is some constant which depends only on the error of a single box, e (as in Definition 
HO) . 

Note that although our set of equations might seem unusual, proving an impossibility result for this 
set implies the same impossibility result for all sets of linear equations that are determined by it. The 
set of equations of an almost backward non-signalling system, as in Definition 12. 51 is one interesting 
example of such a set. 

Lemma 3.4. The almost backward non- signalling conditions, as in Definition \2.5[ are implied by the 
non- signalling conditions of Dehnition \3.2\ 

Proof. Consider the set of equations in Definition 12.51 We will now prove them using the equations in 
Definition 1321 this will imply that if the assumptions of Definition 13.21 hold then so do the assumption 
of almost backward non-signalling. 
For every i £ [n] we can write 
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xi 2 ,yi 2 



Xl 2 /{i} Xi 



E E P XY\uv{x,y\u Il ,u l ,u l2/{l} ,v Il ,v l ,v l2/{i} ) 



= E 'J2 p XY\uv(x,y\ui 1 ,u' i> u l2 / {{} ,vi 1 ,v' i ,v l2 / {i} ) 



•^12/ '{i} x i 

yi 2 /{i} Vi 



E E 



PXY\UV {x,y\u h , u'i, U i+ i, U/ 2 /{j,i+l}, V h , v'i, V l+ i , V/ 2 /{ M+ i} ) 



x I 2 /{i+l} X i+l 



E E p ^|yv(a:,y|'"/ 1! u' {i!i+1} ,'Ui 3 /{ M+ i},?;7 1 ,^ 

£j 2 /{j+l} Xi+l 

yh/{i+i} v%+i 



'{»,»+!}» ^/{i.i+l}) 



E P XV|(7^(2 : ^l u /i ; '«7 2 ,'y/ 1 ,Wj 2 ). □ 



e/ 2 ,j// 2 



Combining Lemma 13.41 together with Theorem 13.31 implies the following. 

Corollary 3.5. There exists an almost backward non-signalling system as in Definition ] 2. 5\ such that 
for any hash function f , there exists a partition w for which the distance from uniform of f(X) given 
w is at least c(e), i.e., d(f(X)\Z(w)) > c(e), where c(e) is some constant which depends only on the 
error of a single box, e (as in Definition \3.1\ ) . 

Another interesting example is the set of equations which includes non-signalling conditions between 
all of Alice's systems alone and non-signalling conditions between all of Bob's systems alone, together 
with the condition of non-signalling between Alice and Bob. 

Definition 3.6. An n-party conditional probability distribution Pxy\uv over X, Y,U,V £ {0, 1}" is 
completely non-signalling on Alice's side and completely non-signalling on Bob's side, if for any i £ [n], 



where Px\u ' IS the marginal system of Pxy\uVi held by Alice, and Py\v IS the marginal system of 
Pxy\uv, held by Bob. 

Lemma 3.7. The non- signalling conditions of Definition ] 3. 6\ are implied by the non- signalling condi- 
tions of Definition \3.2^ 





y, 
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Proof. We show that this is true for Alice's side. The proof for Bob's side is analogous. First, for any 
i G [n] , we can write the equation 



Vxj, Ui, u'i, u- 



^2Px\u(xi, xj\ui,uj) = S ^P X \u(x ll xj\u' i , uj) 




using the original system Pxy\uv an d the definition of a marginal system: 



p xY\uv(x,y\ 



Ui,Uj,V 



Xi,y 



Now, as in the proof of Lemma 13.41 



Y p xY\uv(x,y\ 




Y Y p XY\uv(x,y\u l ,u 1 ,v) 
v/ivi} xi,yi 



Xi,y 



Y Y p xY\uv(x,y\u' t ,uj,v) 
v/ivi} Xi,Vi 



Y PxY\uv(x,v\u'i,vq,v). 



□ 



Xi,y 



Combining Lemma 13 . 71 together with Theorem 13.31 implies the following. 

Corollary 3.8. There exists a system as in Definition ] 3. 6] such that for any hash function f , there 
exists a 'partition w for which the distance from uniform of f(X) given w is at least c(e), i.e., 
d(f(X)\Z(w)) > c(e), where c(e) is some constant which depends only on the error of a single box, e 
(as in Definition ^) '. 1]) . 

4 Privacy Amplification Against Non-signalling Adversaries 

4.1 The impossibility of privacy amplification under the basic non-signalling 
assumptions 

We use here the same adversarial strategy as presented in [TT] and therefore repeat it here shortly for 
completeness. For additional intuitive explanations and complete formal proofs please see 

As explained before, Alice's and Bob's goal is to create a highly secure key using a system, Pxy\uvi 
shared by both of them. Eve's goal is to get some information about the key. It is therefore natural 
to model this situation in the following way: Alice, Bob and Eve share together a system Pxyz\uvw> 
an extension of the system Pxy\uv held by Alice and Bob, which fulfills some known non-signalling 
conditions. Each party can perform measurements on its part of the system (i.e., insert input and 
read the outputs of their interfaces of the system), communicate using a public authenticated channel, 
Alice then applies some public hash function / to the outcome she holds, X, and in the end Alice 
should have a key K = f(X), which is e-indistinguishable from an ideal, uniformly distributed key, 
even conditioned on Eve's information. I.e., d(K\Z(W)) < e. 

The distance from uniform of the key k is lower-bounded by the distance from uniform of a single 
bit of the key, and therefore, for an impossibility result, it is enough to assume that / outputs just one 
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bit. Note that since the adversarial strategy can be chosen after all public communication is over, it can 
also depend on a random seed for the hash function. Therefore it is enough to consider deterministic 
functions in this case. 

We consider a partition with only two outputs, z = and z = 1, each occurring with probability 
\, such that given z = 0, f(X) is maximally biased towards 0. According to Lemma \2. 151 it is enough 
to explicitly construct the conditional system given measurement outcome z = 0. In order to do so we 
start from the unbiased system as seen by Alice and Bob and "shift around" probabilities such that 
f(X) is maximally biased towards and the marginal system remains valid. By valid me mean that: 

1. All entries must remain probabilities between and 1. 

2. The normalization of the probability distribution must remain. 

3. The non-signalling condition between Alice and Bob must be satisfied. 

4. There must exist a second measurement outcome z = 1 occurring with probability i, and such 
that the conditional system, given outcome z = 1, is also a valid probability distribution. This 
second system must be able to compensate for the shifts in probabilities. According to Lemma 
12.151 this means that the entry in every cell must be smaller or equal twice the original entry. 

The system Px^uv which describes this strategy is defined formally in the following way. For sim- 
plicity we will drop the subscript of Pxy\uv{ x tU\ u t v ) an d write only P(x, y\u, v). We use the same 
notations as in [TTI [TU| and define the following groups: 



y< 



y> = 



x 



Xl 



^2 p ( x iy\ u i v ) < X! p ( x >y\ u > v ) 

x\f(x)=0 x\f(x) = l 

^2 p (x,y\u,v)> ^2 p ( x >y\ u > v ) 

x\f(x)=Q x\f(x) = l 

f{x) - 



/(*) - 1 



and a factor c{x, y\u, v) as: 

Vx G x ,yey < 



Vx G x ,yey> 
Vx G xi,y£y> 



c(x,y\u,v) = 2 



Vx G xi,yey< c(x,y\u,v) 



c(x,y\u,v) 



J2(-l)(f(^ +1 )p(x',y\u,v) 

x' 

E P(x',y\u,v) 

x'\f(x') = l 

J2P(x',y\u,v) 



E P(x',y\u,v) 

x'\f(x')=0 

c(x, y\u, v) — 
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The system P 2=0 is then defined as P z=0 (x, y\u, v) = c(x,y\u,v) ■ P(x,y\u,v). 

Intuitively, this definition of the strategy means that for each u, v and within each row, Eve shifts 
as much probability as possible out from the cells P(x,y\u,v) for which f(x) — 1 and into the cells 
P(x' ,y\u,v) for which f(x') — (she wants P z=0 to be biased towards 0). The factor c(x,y\u,v) is 
defined in such a way that as much probability as possible is being shifted, while still keeping the 
system P z=0 a valid element of a partition. 

Although Eve shifts probabilities for each u, v separately, P z=0 will still fulfill the required non- 
signalling conditions, which connect the inputs u, v to other inputs u',v'\ this is due to the high 
symmetry in the original marginal box of Alice and Bob ( Definition 13. ip . For example, it is easy to see 
that since Eve only shifts probabilities within the same row (i.e. cells with the same value of y) Bob 
cannot signal to Alice using P z=0 ; the sum of the probabilities in one row stays the same as it was in 
P, and since P did not allow for signalling from Bob to Alice, so do P z=0 . The other non-signalling 
conditions follow from a bit more complex symmetries. 

It was proven in [TT] that for this strategjH d(K\Z(w)) < ~ 1+ ^+ 64£2 . 

4.2 Proof of the theorem - a more general impossibility result 

In order to prove Theorem 13.31 we will just prove that the adversarial strategy presented in [TTJ still 
works. Formally, this means that we need to prove that the element (p z=0 — ~, P z=Q (x, y\u, v)j in the 
partition is still valid, even when we add the assumptions of Definition 13 . 21 and that d(K\Z(w)) is 
high. Since we do not change the strategy, the same bound on d(K\Z(w)) still holds. Moreover, it was 
already proven in [TTJ that P z=0 (x, y\u, v) does not allow signalling between Alice and Bob, therefore 
we only need to prove that our additional non-signalling assumptions of Definition 13.21 hold in the 
system P z=0 (x, y\u, v), i.e., the system satisfies our assumptions even conditioned on Eve's result. 

The first three lemmas deal with the impossibility of signalling from Alice's side and the next three 

lemmas deal with Bob's side. All the lemmas use the high symmetry of the marginal box (Definition 

13. ip . What these lemmas show is that most of this symmetry still exists in P Z=Q , because we only 

shift probabilities within the same row. 

We use the following notation; for all i S [n] let u l be u l — u\...u%—\,Ui,Ui+\...u n (i.e., only the 
i'th bit is flipped) and the same for x % , y % and v % . 

Lemma 4.1. For all i 6 [n] and for all x,y,u,v such that Vi = 1, P(x,y l \u,v) = P(x,y\u l 



Proof. For every single box , P Xz Y z \UiV z { X U ViWi, Vi) = P Xi Yi\UivAxi,yi\ui,Vi). Therefore it also holds 

2 Actually, this strategy is being used only when Alice is using an hash function which does not allow Bob to generate 
a bit from his output of the system Y, which is highly correlated with the key. If Alice uses a function which does 
allow Bob to get an highly correlated key, then this function has to be biased and therefore Eve can just use the trivial 
strategy of doing nothing. For more details please see |llj . 
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that P(x,y\u,v) = P{x % ,y l \u,v). Moreover, 

U)' 

u) ! 

Combining these two properties together, we get P(x,y\u l ,v) = P(x % , y\u, v) — P(x,y l \u,v). 

□ 

Lemma 4.2. For all i £ [n] and for all x,y,u,v such that vi — 1, c(x,y l \u,v) = c(x,y\u l , v). I.e., the 
cells P(x,y l \u,v) and P(x,y\u l ,v) are from the same type (xq/xi, y>/y<). 



P{x,y\u l ,v) 



1 £ \ Ei©^i©s/i©«; -"i 

2 ~ 2 / 



1 £ 



2 2 / 
P(x l ,y\u,v) 



Proof. First, it is clear that if P(x,y l \u,v) was a xq (xi) cell, so is P(x,y\u l ,v) because this only 
depends on x. 

Now note that Lemma 14. II is correct for every x, therefore the entire row P(», y % \u, v) is equivalent 
to the row P(», y\u l , v). This means that if we change y % to y and u to u 1 together, we will get the 
same row, and therefore if P(x,y l \u,v) was a y < (y>) cell, so is P{x, y\u l ,v). All together we get 
c(x, y l |u, v) = c(x, y\u l , v). □ 

The properties of the marginal system Pxy\uv which are being used in Lemma |4 . 1 1 and Lemma 14.21 
can be easily seen, for example, in Table Q] and Table [2j For simplicity we consider a product of only 
2 systems. When changing Alice's input from u = 11 to u — 10 while v = 11, the rows interchange as 
Lemma 14.11 suggests. 

Lemma 4.3. In the conditional system P z=0 ! for any i G [n] 







U = 


11 




x 

y 


00 


01 


10 


11 


00 


(I) 2 


e 1-e 
2 ' 2 


e 1-e 
2 ' 2 


(W 


v = ll 01 


e 1-e 
2 ' 2 


(§) 2 


(W 


e 1-e 
2 ' 2 


10 


e 1— e 
2 ' 2 


(W 


(I) 2 


e 1 — e 
2 ' 2 


11 




e 1-e 
2 ' 2 


e 1-e 
2 ' 2 


(I) 2 



Table 1: Pxy\uv f° r two systems (n — 2), for u = 11, v = 11 
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U = 


10 




y 


00 


01 


10 


ii 


00 


e 1-e 
2 ' 2 


(§) 2 


(W 


e 1-e 
2 ' 2 


v = n 01 


(I) 2 


e 1-e 
2 ' 2 


e 1-e 
2 ' 2 




10 


(W 


e 1-e 
2 ' 2 


e 1-e 
2 ' 2 


(§) 2 


n 


e 1-e 
2 ' 2 




(i) 2 


e 1-e 
2 ' 2 



Table 2: Pxrluv f° r two systems (n — 2), for u = 10, v = 11 



Proof. First note that for any u and v such that m = the probability distribution Pxy\u=u.v=v is 
identical to -Pxy|c/=« i ' v=u (because of the properties of a single box, see Figure [3]). Therefore Eve 
will shift the probabilities in these two systems in the same way, which implies that Pxy\u— u v=v 1S 
identical to Pxyiu—u*' v— «' an< ^ * n P ar ti c ul ar , any non-signalling conditions will hold in this case. 

Assume = 1. We will prove something a bit stronger than needed. We prove that for all 
x, j/j, Ui, Uj, v, ^P z=0 (x, y\u, v) = '^2 l P z=0 {x, y\u l , v). This in particular implies that ^ P z=0 (x, y\u, v) = 

Vi Vi Xi,yi 

J2 p z=0 (x, y\v? ,v) also holds. 

^P z=0 (a;,y|u i ',u) = ^]c(a;,y|u i ',u) • P(x, v) 

Vi Vi 
Vi 

= ^p*=°(x,/M 

Vi 

= ^P z =°(x,y| M , W ). 

Vi 

The first and third equalities are by the definition of P z=0 , the second equality is due to Lemma H. II 
and Lemma 14.21 and the last equality is due the fact that the sum is over yi. 

□ 

Lemma 4.4. For all i £ [n] and for all x,y,u,v, P(x,y l \u,v) = P(x,y\u,v l ). 
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Proof. 



P(x,y\u,v l 



1 £ ^£ 1 ®*<®m®«'" u ! fe^x^mui-v' 

2 ~ 2 



1 e \Elffi^ffi3/r /£X l> J ffitf/'ffi Ul .o, 
P(z, y l |it,u). 



(I)' 



□ 



Lemma 4.5. For all i G [n] and /or aZ/ x,y,u,v such that Vi — 1, c(x, |it, u) = c(x, v l ). I.e., £/ie 
ce/k P{x 1 y l \u,v) and P(x,y\u,v l ) are from the same type (xq/xx, y>/y<)- 

Proof. As in Lemma l4~2l it is clear that if P(x, y l \u, v) was a xo (xi) cell, so is P(x, y\u, v 1 ) because 
this only depends on x. 

Lemma 14.41 is correct for every x, therefore the entire row P(»,y l \u,v) is equivalent to the row 
P(»,yjw, v l ) and therefore if P(x,y l \u,v) was a y < (y>) cell, so is P(x,y\u,v l ). All together we get 
c(x, y l \u, v) = c(x, y\u, v l ). □ 

Lemma 4.6. In the conditional system P z=0 } for any i G [n] 

Vx I ,y J ,u,v i ,v. ^P z ^(x,y\u,v)= ^P z ^{x,y\u,v 1 '). 

xi.yi XitVi 



Proof. In an analogous way to the proof of Lemma 14.31 if Ui = the proof is trivial. Assume Ui = 1. 
We prove that for all x,yj,u,Vi,vj, ^P z=0 (cc, y\u, v) = ^2P z=0 (x,y\u,v l ). This in particular 

Vi Vi 

implies that P z=0 (x,y\u,v) = P z=a (x,y\u,v' 1 ) also holds. 

Xi,Vi XiiVi 

m vi 

2/i 

= ^P*=°(x,/M = 
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Note that the only difference between the full non-signalling conditions and what we have proved 
here is that in Lemma 14.31 we have to keep the summation over y^. Moreover, it is interesting to see 
that at least on Bob's side, the "full" non-signalling conditions also hold in P z=0 . Since Eve's strategy 
is defined to work on each row separately, the symmetry on Bob's side does not break at all. 

Lemmas 14.31 and 14.61 together prove that the assumption of Definition 13.21 holds even conditioned 
on Eve's result. Adding this to the rest of the proof of [TT] proves Theorem 13.31 

5 Concluding Remarks and Open Questions 

In this letter we proved that privacy amplification is impossible even if we add a lot more non-signalling 
conditions over the assumptions of . This also implies that privacy amplification is impossible under 
the assumptions of an almost backward non-signalling system. An interesting question which arises 
from our theorem is whether the non-signalling conditions in which the backward non-signalling systems 
and the almost backward non-signalling system differs are the ones which give Eve the tremendous 
power which makes privacy amplification impossible. If yes, then it might be the case that privacy 
amplification is possible in the relevant setting of backward non-signalling systems. On the other 
hand, if the answer to this question is no, then privacy amplification is also impossible for backward 
non-signalling systems. If this is indeed the case then it seems that the security proof for any practical 
QKD protocol will have to be based on quantum physics somehow, and not on the non-signalling 
postulate alone. 

Another interesting question is whether we can extend our result to the case where Alice and Bob 
use a more interactive protocol to amplify the secrecy of their key; instead of just applying some hash 
function only on Alice's output X and get a key K — f(X), maybe they can use Bob's output Y as 
well and create a key K = g{X, Y). 
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